Google's EU User Consent Policy and AdSense
Every website running Google AdSense in the European Economic Area, United Kingdom, or Switzerland must comply with Google's EU User Consent Policy. This policy translates the obligations of the GDPR and the ePrivacy Directive into concrete technical requirements that Google enforces at the ad-serving level.
The policy requires you to disclose how your site uses cookies and personal data for ad personalisation. Visitors must give affirmative consent before any non-essential cookies fire - including cookies used for frequency capping, aggregated reporting, and fraud prevention. A passive "continue browsing" model does not satisfy Google's requirements.
Non-compliance carries real consequences. Google may suspend your AdSense account after issuing a non-compliance notice, cutting off ad revenue entirely.
The Certified CMP Requirement
Since January 2024, Google has required publishers to use a Consent Management Platform that holds Google certification and integrates with the IAB Transparency and Consent Framework. This applies to all ad formats - display, native, video, and auto ads - served to users in the EEA and UK. Switzerland was added to the scope in July 2024.
A certified CMP handles the technical handshake between your consent banner and Google's ad stack. When a visitor makes a consent choice, the CMP generates a TC string - a standardised encoded signal that tells Google (and every other vendor in the programmatic chain) exactly what the user has permitted. Without this string, Google defaults to serving "Limited Ads", which carry significantly lower CPMs.
Your CMP must meet several criteria to qualify:
- Registration with the IAB Europe as a TCF CMP
- Passing Google's certification process
- Generating valid TC strings that include Google's vendor ID
- Displaying all required vendor disclosures in the consent interface
TCF v2.3: The February 2026 Deadline and What Changed
The IAB released TCF v2.3 to address a significant gap in earlier versions. Under TCF v2.2, there was ambiguity about whether a vendor had actually been disclosed to the user in the CMP interface. A vendor could appear in the TC string without the user ever seeing its name - a compliance problem that regulators flagged repeatedly.
TCF v2.3 makes the disclosedVendors segment mandatory. This binary signal confirms that each vendor listed in the TC string was genuinely shown to the user before consent was collected. Google announced on 3 November 2025 that all publishers and CMPs must migrate to TCF v2.3 by 28 February 2026.
That deadline has now passed.
TC strings generated without the required disclosedVendors segment are treated as invalid. Google has introduced error code 1.4 in its TCF error reports to flag strings where this segment is missing, malformed, or does not include Google as a disclosed vendor. If your CMP still produces v2.2 strings, your ad requests default to Limited Ads.
Revenue Impact of Non-Compliance
Limited Ads serve only non-personalised, contextual advertising. Industry estimates suggest this can reduce programmatic revenue by 50% or more compared to fully consented, personalised ad serving. For publishers relying on programmatic advertising, the financial impact is immediate and measurable.
Google Consent Mode v2 and AdSense
Google Consent Mode v2 works alongside the TCF integration. It communicates user consent status to all Google tags on your page through two key parameters: ad_storage and ad_personalization. When both are set to denied, Google's tags adjust their behaviour - cookies like __gads, __gpi, and _gcl_au are not set, and no personal data is collected for ad targeting.
From July 2025, Google began restricting data collection from websites that do not transmit consent signals through Consent Mode v2. Tags without proper consent signals may not fire at all, and remarketing lists can be disabled.
| Consent Signal | Effect When Granted | Effect When Denied |
|---|---|---|
ad_storage | Ad cookies set normally (__gads, __gpi) | No ad cookies written to browser |
ad_personalization | Personalised ads served, remarketing active | Only contextual/non-personalised ads |
ad_user_data | User data sent to Google for ad purposes | No user data shared for advertising |
analytics_storage | Analytics cookies set (_ga, _gid) | Cookieless pings with limited data |
Setting Up Your Consent Banner for AdSense Compliance
Your cookie banner needs specific elements to satisfy Google's policy. The first layer of the banner must explicitly mention "ads personalisation" - a requirement many generic banners miss. A vague reference to "third-party cookies" is not sufficient.
The banner must also include:
- A clear affirmative action for consent (button labelled "Accept" or similar)
- An equally accessible option to refuse (no dark patterns hiding the reject button)
- A link to Google's Business Data Responsibility site
- A list of vendors or a link to the full vendor list within the TCF interface
Consent must be collected before any ad-related cookies are set. If your implementation fires AdSense tags on page load and only asks for consent afterwards, you are already in breach of both GDPR cookie consent rules and Google's policy.
Blocking AdSense Before Consent
The technical implementation depends on how you load AdSense. If you use Google Tag Manager, set up a consent initialisation trigger that fires before any other tags. Your CMP should push consent state to the dataLayer, and your AdSense tag should only fire when ad_storage and ad_personalization are both granted.
For direct AdSense code integration, wrap the ad script in a conditional loader that checks consent status through your CMP's JavaScript API. Alternatively, use type="text/plain" on the script tag and let your CMP swap it to text/javascript once consent is given.
What Happens When Users Reject Consent
When a visitor declines ad cookies, Google serves Limited Ads. These ads do not use cookies for targeting or personalisation but still use contextual signals - the page content, device type, and general location - to select relevant ads.
Limited Ads still require consent for cookie storage under the ePrivacy Directive, because even non-personalised ads use cookies for frequency capping and fraud detection. Article 5(3) of the ePrivacy Directive covers all non-essential storage on the user's device, regardless of purpose. This means a full rejection of cookies means no ads at all in strict opt-in jurisdictions.
For publishers concerned about revenue loss from rejected consent, consider these approaches:
- Improve banner design to increase consent rates without using manipulative patterns
- Use server-side tagging to reduce visible third-party cookies
- Diversify revenue beyond programmatic ads (subscriptions, sponsorships, affiliate)
Common AdSense Consent Mistakes
| Mistake | Why It Fails | Fix |
|---|---|---|
| Loading AdSense before consent | Cookies set without legal basis | Block scripts until CMP callback confirms consent |
| Using a non-certified CMP | Google cannot read TC string | Switch to a Google-certified CMP with TCF integration |
| Missing vendor disclosures | TCF v2.3 requires disclosed vendors segment | Ensure CMP lists all vendors including Google |
| No "ads personalisation" text on banner | Google policy requires explicit mention | Add clear reference to personalised advertising on first layer |
| Consent Mode not implemented | Google tags ignore consent state | Implement Consent Mode v2 with correct default values |
Frequently Asked Questions
Do I need a certified CMP for AdSense in 2026?
Yes. Since January 2024, Google requires all AdSense publishers serving ads in the EEA, UK, and Switzerland to use a CMP that is both Google-certified and integrated with the IAB Transparency and Consent Framework. Without one, your ads default to Limited Ads or may not serve at all.
What is TCF v2.3 and why does it matter for AdSense?
TCF v2.3 is the latest version of the IAB's Transparency and Consent Framework. It requires a mandatory disclosedVendors segment in the TC string to prove that vendors were actually shown to users. Google dropped support for v2.2 strings after 28 February 2026.
Can I run AdSense without any cookies?
Not entirely. Even non-personalised (Limited) ads use cookies for frequency capping and fraud prevention. Under the ePrivacy Directive, consent is required for these cookies too. If a user rejects all cookies, no AdSense ads can be served in EEA countries.
How much revenue do publishers lose without consent?
Industry estimates suggest that defaulting to Limited Ads can reduce programmatic revenue by 50% or more. The exact impact depends on your audience geography, ad formats, and the proportion of visitors who decline consent.
Does Google Consent Mode v2 replace the TCF requirement?
No. Consent Mode v2 and TCF serve different functions. Consent Mode communicates consent state to Google tags, while the TCF provides the standardised consent string required by the programmatic advertising ecosystem. Both are needed for full AdSense compliance.
What happens if my CMP still uses TCF v2.2?
TC strings without the mandatory v2.3 disclosedVendors segment are treated as invalid by Google. Your ad requests will default to Limited Ads, significantly reducing your ad revenue. Contact your CMP provider to confirm they support TCF v2.3.
Take Control of Your Cookie Compliance
If your AdSense setup still relies on an outdated CMP or lacks proper Consent Mode integration, your ad revenue is at risk today. Kukie.io provides cookie scanning, banner management, and TCF integration to help you meet Google's requirements without the guesswork.
